Root security certificate expiring September 30 affecting El Capitan and older

El Capitan and older Mac OS X are about to have a security certificate problem

This will also affect iOS 9 and older.

A comment on Howard’s story makes it sound easy to manually add the needed newer root certificate to OS X or to iOS:

You double-click the certificate, accept the prompts, type in your password, done. It’s not any more difficult even on any ancient iOS version.

That should work until that certificate expires, September 30, 2024.

For just web browsing on the Mac, one could also use Firefox 78.14.0esr, it uses its own list of root certificates which is recent enough and that specific version is the last to run on OS X 10.9 - 10.11.

Separate from certificate issues, Safari 9 and other old browsers will likely have more problems in the future. As support for Internet Explorer 11 is finally being dropped from web sites, the next oldest supported browser will likely be iOS Safari 10.3.


This is useful information, thanks.

I have a 2007 iMac which I keep in my office. It can’t be upgraded past El Capitan.

It doesn’t get much use (I mainly use it to run the old version of Audio Hijack Pro which had AppleScript support) but it’s still very much a functional computer for basic things, like web browsing. (The screen is definitely getting dim, but otherwise, it works fine.)

Safari already does not work on many sites, but Google Chrome does. It’s odd to use Google Chrome as my default browser as I’ve always used Safari as my primary, but I also keep Google Chrome installed too, so it’s not too bad.

I wonder if this will help the issues that I’ve previously had with Safari.

When a root certificate expires, any site using a certificate that relies on it will not load in your browser. You will see the same kind of warning page caused by site-specific problems like certificate expiration or using a certificate that doesn’t include the visited domain name (e.g. certificate is issued only for but the site is trying to also use it for

If a site loads but looks or acts broken in some way, the developers probably are using newer code features an older browser doesn’t support. The last version of Safari for El Capitan is 11.1.2, which is now three years old. Some developers aren’t careful about making their sites at least minimally usable in older browsers with a definition of “older” being more than one version or more than one year old.

I’m a little surprised the current version of Google Chrome still works on El Capitan. Chrome relies on the macOS root certificate store so this expiration affects it as well as Safari. There was an announcement last year that Chrome would switch to having its own root store (except the iOS/iPadOS version, Apple won’t allow it) but it doesn’t yet.

I can say that Safari now works on El Capitan too.

Unfortunately I don’t remember specifics about what didn’t work before, but I do remember it had to do with Let’s Encrypt certificates. All of which seem to work now.

And the certificate that was installed seems to say it will be good until 2035, not 2024. I doubt my 2007 iMac will still be in service by then, so it probably won’t be anything to worry about.


This worked 100% on my 2008 Mac Pro Tower running El Capitan (extremely fast and reliable for its age, Sierra cannot be installed on it).


Go to

Root Certificates
ISRG Root X1

Find the newest of this file link (first on the page)…
“Signed by ISRG Root X1: der, pem, txt”
Click on pem to download the correct one.

(I have my browser set to always download to the Desktop so I can quickly find the stuff I just downloaded, and I put it where it goes later).

Open Keychain Utility in the Applications > Utilities folder

Enter your password every time asked.

Click System (upper left).

Drag the new Security Certificate from the Desktop into the Security page in the open Keychain Window.

Double click on the new Security Certificate.

Click the little arrow next to “Trust” at the top to expand it.

Choose “Always Trust” in the menu next to “When using this certificate:”

You can choose “Always Trust” because it literally just came from the website of the company that creates the Trusted Certificates.

1 Like